BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Windows Defence Evasion and Fortification Primitives \n When: Saturday\, Aug 13\, 09:00 - 12:59 PDT\n Where: Harrah's - Ren o (Workshops) - [1]Map\n Speakers:Paul Laîné\,Rohan Durve\n\n Speake rBio:Paul Laîné \, Senior Security Consultant\n Paul L. (@am0nsec) is a Senior Consultant at Mandiant. Paul works in\n R&D to improve Simulate d Attack (SA) capabilities. With a strong\n interest in Microsoft Window s system and low-level programming\, and\n x86 Instruction Set Architect ure (ISA). Paul specialises in the\n development of malware and tools fo r SA operations. Some of his work\n is publicly available on GitHub and discussed on his Twitter profile.\n Twitter: [2]@am0nsec\n\n SpeakerBi o:Rohan Durve \, Senior Security Consultant\n Rohan (@Decode141) is a Se nior Consultant at Mandiant with a primary\n interest in attack simulati on. Rohan is most interested Windows and\n Active Directory assessments but is also involved delivering offensive\n security training and capabi lity development. Rohan's presented at\n conferences such BlackHat\, BSi des London and BSides LV in the past.\n Twitter: [3]@Decode141\n\n Des cription:\n The Windows Defence Evasion and Fortification Primitives wor kshop will\n walk candidates through adapting initial access\, code exec ution\,\n credential access and lateral movement TTPs against commonly\n encountered defences (such as Anti-Virus\, Endpoint Detection Tooling\n and Windows Credential Guard). Candidates will be challenged to think\n critically and expand their classroom knowledge of vulnerabilities\n against limitations in defensive technologies on Windows 10\, 11\,\n Ser ver 2016 and Server 2019 systems.\n\n Agenda:\n - Connectivity and Set up Tests\n - Initial Endpoint Compromise and Code Execution\n\n * Di scussing common defensive challenges\n\n * AV\n\n * Applic ation control\n\n * Process relationship\n\n * Process flo w using Attack Surface Reduction Rules\n\n * AMSI - Initial Access \n\n * DLL Hijacking/Proxying\n\n * Identifying common issues\n\n * Creating DLLs - Living out-of-land\n\n * SOCKS Proxy\n\n * Unmanaged code\n\n * Managed co de - In-process/In-memory unmanaged code\n execution\n\n * Leveraging C2 capabilities\n\n * Injection - Credential Acc ess\n\n * Interrogating Browsers\n\n * Information gat hering\n\n * Extracting secrets\n\n * LSA\n\n * Running Mimikatz/Kekeo\n\n * What's a protected process? \n\n * In-memory patching using\n\n * Discussing o ther methods\n\n * Credential Guard\n\n * Remote D esktop Credential Guard\n\n * Effects of EDR\n\n * Kerberos\n\n * Session 0\n\n * Code Injec tion\n\n * TGS Exports - Lateral Movement\n\n * SMB\n\n * Artefacts\n\n * Customisation\n\n * Service\n\n * Named pipe\n\n * Alter natives (WinRM/RDP)\n\n * Artefacts\n\n * SOCKS Proxy\n\n Materials\n Laptop capable of outbound SSH/RDP t o our labs.\n\n Prereq\n Workshop candidates sho uld familiarise themself with\n common tooling (such as a C2\, PowerShell\, MS Build\,\n Rubeus and Kekeo) and have experience using common\n Windows protocols (such as SMB a nd RDP). Suggested\n exercises and labs for this will be s ent to registered\n candidates prior to the workshop.\n\n '\n\n 1. https://defcon.outel.org/consolidated_page.html#Harrahs\n 2 . https://twitter.com/am0nsec\n 3. https://twitter.com/Decode141\n\n\n DTEND:20220813T195900Z DTSTART:20220813T160000Z LOCATION:WS - Harrah's - Reno (Workshops) SUMMARY:Windows Defence Evasion and Fortification Primitives END:VEVENT END:VCALENDAR